Stolen FireEye Weapon

On December 8, FireEye reported that a successful attack resulted in a highly skilled APT group gaining access to the tools that the company used as the Red Team's arsenal.



Unwittingly, the news refers to 2017, when the CIA and NSA tools for hacking the infrastructure got into the network. These leaks gave the world a wide variety of utilities: from exploits for home routers and Smart TVs to control servers for infected hosts. The greatest resonance was generated by the EternalBlue exploit, which was used in the ransomware WannaCry, Petya, NotPetya, which paralyzed the activities of companies around the world.

Returning to the current case, FireEye assures that there are no 0-day exploits and tools for exploiting previously unknown techniques in the leaked data. FireEye also published a set of rules (YARA, Snort, OpenIOC, ClamAV) on GitHub for detecting leaked tools.



Based on the information provided by FireEye, let's try to figure out what kind of arsenal the attackers received during a successful attack and whether they managed to expand the toolkit with some fundamentally new means.

So,



git clone https://github.com/fireeye/red_team_tool_countermeasures







Next, let's try to recreate the tools used by the Red Team FireEye team at different stages of the attack's development. We will consider techniques according to the MITER ATT & CK classifier

Preliminary preparation of a malicious load (Resource Development)

• Matryoshka – . , .
• LNKSmasher – LNK- . LNK-.
• GadgetToJScript – , .NET- VBS, VBA, JS, HTA.
• Redflare – FireEye RedTeam.
• RESUMEPLEASE – Microsoft Office c VBA (Visual Basic for Application) .
• SinfulOffice is a utility for creating malicious Microsoft Office documents with embedded OLE objects
• WildChild - utility for creating malicious HTA files (HTML Application)
• PrepShellCode - utility for preparing shellcode

Initial Access to the Infrastructure

Exploits used in malicious mailings that require user action:

• Expl-CVE-2017-11774 - exploit for vulnerability in Microsoft Outlook

Exploits for vulnerabilities in public network services:

• Expl-CVE-2019-0708 is an exploit for a vulnerability in Microsoft Remote Desktop Services (RDS), also known as BlueKeep.
• Expl-CVE-2019-19781 – Citrix Application Delivery Controller (ADC) Citrix Gateway
• Expl-CVE-2019-8394 – Zoho ManageEngine ServiceDesk Plus (SDP)

(Execution)

• Cobalt Strike – . .
• DShell – Windows-, D
• DTRIM – SharpSploit – . windows-, .Net-, PowerShell, .
• DueDLLigence – FireEye DLL .
• Impacket-Obfuscation – Impacket Windows-. (PSExec, Tack Scheduler WMI)
• In-MemoryCompilation –
• TrimBishop – RuralBishop, . suspended .
• C_Sharp_SectionInjection – PE-

(Persistence)

• Cobalt Strike – , StayKit (, , LNK, , WMI)
• Mofcomp — MOF (Managed Object Format) WMI. .
• SharPersist – FireEye Windows-. : KeePass, , , , SVN hook, ,
• SharPivot – .Net . : WMI, RPC, , , WinRM, COM, ,
• SharpSchtask –
• Justtask –
• Keepersist –

(Privilege Escalation)

• Cobalt Strike – . ElevateKit, (CVE 2020-0796, CVE-2014-4113, CVE 2015-1701, CVE 2016-0051, CVE-2016-099)
• Sharpzerologon – Netlogon (CVE-2020-1472), Zerologon. . Cobalt Strike
• Expl-CVE-2014-1812 – Group Policy Windows
• Expl-CVE-2016-0167 – Windows kernel-mode driver
• Expl-CVE-2020-1472 – Netlogon
• Expl-CVE-2018-8581 – Microsoft Exchange

(Defense Evasion)

• Cobalt Strike – , .
• DTRIM – SharpSploit – . AMSI ETWEventWrite ETW
• Matryoshka – . , . Process Hollowing
• NoAmci – AMSI.dll c AMSI (Antimalware Scan Interface) Assembly.Load(). .NET- .
• PGF – . . Application Whitelistening DLL
• SharpStomp – : , ,
• NET-Assembly-Inject – .Net
• NetshShellCodeRunner – NetSh.exe DLL

(Credential Access)

• Cobalt Strike – . .
• Adpasshunt — Group Policy Preferences msSFU30Password UserPassword Active Directory
• DTRIM – SharpSploit – . Kerberos
• Excavator – .
• Rubeus — Kerberos, Kerberoasting
• Fluffy – Rubeus.
• Impacket-Obfuscation — Impacket Windows-. (SAM, LSA, NTDS.dit), Kerberos ( Kerberos-, Golden Ticket), MiTM- NTLM.
• InveighZero – MiTM- LLMNR, NBNS, mDNS, DNS, DHCPv6
• KeeFarce – KeePass 2.x. DLL KeePass
• PXELoot (PAL) – WDS (Windows Deployment Services)
• SafetyKatz – LSASS. Mimikatz PE C#
• TitoSpecial – AndrewSpecial LSASS. EDR
• CredSnatcher –
• WCMDump – Windows Credential Manager
• Expl-CVE-2018-13379 – FortiOS SSL VPN,
• Expl-CVE-2019-11510 – Pulse Secure SSL VPN,

(Discovery)

• Cobalt Strike – . .
• Seatbelt – Windows
• CoreHound — .Net , fork SharpHound Active Directory .
• PuppyHound – SharpHound Active Directory
• DTRIM – SharpSploit – . .
• EWSRT – RT-EWS Exchange, Office 365
• Getdomainpasswordpolicy – Active Directory
• gpohunt – Active Directory
• SharpUtils – , C# execute assembly Cobalt Strike
• WMISharp – WMI
• WMIspy – WMI
• modifiedsharpview — SharpView, Active Directory

(Lateral Movement)

• Cobalt Strike – . (PsExec, WinRM, Windows Admin Shares)
• DTRIM – SharpSploit – . WMI, DCOM, , PowerShell Remoting.
• Impacket-Obfuscation – Impacket Windows-. (PSExec, Tack Scheduler WMI) Samba (CVE-2017-7494), Kerberos (CVE-2016-0049), Netlogon (CVE-2015-0005)
• WMIRunner – WMI
• SharPivot – .Net . : WMI, RPC, , , WinRM, COM, ,
• Expl-CVE-2018-15961 – Adobe ColdFusion
• Expl-CVE-2019-0604 – Microsoft Sharepoint
• Expl-CVE-2019-0708 – Microsoft Remote Desktop Services (RDS), BlueKeep
• Expl-CVE-2019-11580 – Atlassian Crowd
• Expl-CVE-2019-3398 – Atlassian Confluence Server
• Expl-CVE-2020-0688 – Microsoft Exchange
• Expl-CVE-2020-10189 – ZoHo ManageEngine Desktop Central

(Command and Control)

• Cobalt Strike – . Team Server .
• DShell – Windows-, D
• Redflare – FireEye RedTeam.
• GoRAT – (Windows, MacOS), Redflare. Go
• DoHC2 – Cobalt Strike DNS over HTTPS (DoH)
• prat – remote access trojan

• SharpGrep –
• sharpdacl – ACL
• sharpdns – DNS
• sharpgopher – Gopher
• sharpnativezipper –
• sharpnfs – NFS
• sharppatchcheck - utility for checking installed updates
• sharpsqlclient - SQL client
• sharpwebcrawler - Crawler of web pages
• sharpziplibzipper - compression utility using libzip

Utilities of unknown purpose

According to the information provided, the purpose of these utilities could not be understood.

• Allthethings
• SharpGenerator
• Lualoader
• MSBuildMe
• Revolver
• Sharpsack
• Sharpy
• red_team_materials
• sharptemplate

Results of the analysis

• Most of the tools are designed to carry out attacks on Microsoft Windows infrastructure
• To develop the attack, the commercial framework Cobalt Strike is used, as well as modified versions of well-known open source projects (SharpView, SharpSploit, Impacket, SharpHound, SafetyKatz)
• open source
• , C#
• FireEye .
• ,

, :

• Linux Unix-
• Web-

A successful attack on the giant of the information security market will undoubtedly be included in the list of significant events in our industry, but you also need to understand that the Red Team's tools were definitely not the target of the attackers. FireEye has worked for large companies around the world and was also a contractor for US government agencies, such as the Department of Defense, Health and Human Services, Treasury, Homeland Security, etc. The data of these organizations is a more tasty morsel for pro government hackers than a selection of exploits and utilities.



As the analysis has shown, even the publication of utilities in the public domain will not significantly affect the risk picture for organizations. most of the arsenal is already available to attackers in the form of open source projects.





Sergey Rublev. Development Director Pangeo Radar, CISSP